Fix IPv6 connectivity on downstream qubes

[ben-grande]

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

I have a router with IPv4 and IPv6 addresses. Network manager enables both to be used.

I followed the steps to enable IPv6, also restarted all netvms in the same chain. I configured on the Network Manager to use only the IPv6 connection and disable IPv4.

Only sys-net has network and every qube below it does not have network, no dns, no IPv4, no IPv6.

Steps to reproduce

Test on sys-net and sys-firewall:

• sys-net:

  $ curl -6 https://v6.ipv6test.app
  [IPv6 ADDRESS]

• sys-firewall:

  $ curl -6 https://v6.ipv6test.app
  curl: (7) Failed to connect to v6.ipv6test.app port 443 after 5226 ms: Couldn't connect to server

• sys-firewall test ipv4:

  $ curl https://google.com
  <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
  <TITLE>301 Moved</TITLE></HEAD><BODY>
  <H1>301 Moved</H1>
  The document has moved
  <A HREF="https://www.google.com/">here</A>.
  </BODY></HTML>

• sys-firewall test ipv6 DNS

  
  $ curl v6.ipv6test.app -vv

• Trying [2600:9000:275f:a800:18:3c03:3680:93a1]:443...

• Immediate connect fail for 2600:9000:275f:a800:18:3c03:3680:93a1: Network is unreachable

• Failed to connect to v6.ipv6test.app port 443 after 3220 ms: Couldn't connect to server

• Closing connection 0 curl: (7) Failed to connect to v6.ipv6test.app port 443 after 3220 ms: Couldn't connect to server

$ curl 1.1.1.1

301 Moved Permanently

---

cloudflare

- Enable IPv6 for sys-net:
```sh
qvm-features sys-net ipv6 1

• Restart sys-net and every qube in chain.
• Disable IPv4 on sys-net Network Manager of sys-net

Retry the the connection:

• sys-net:

  $ curl -6 https://v6.ipv6test.app
  [IPv6 ADDRESS]

• sys-firewall:

  $ curl -6 https://v6.ipv6test.app
  curl: (6) Could not resolve host: v6.ipv6test.app
  $ curl https://google.com
  curl: (6) Could not resolve host: google.com
  $ curl 1.1.1.1
  curl: (6) Could not resolve host: 1.1.1.1

Expected behavior

Network functional.

Actual behavior

No network, no DNS, no IPv4, no IPv6.

[unman]

Can you ping sys-net from sys-firewall?

[ben-grande]

Can you ping sys-net from sys-firewall?

I can ping sys-net from sys-firewall successfully before and after doing the changes.

[unman]

To be clear ping6 both ways?

[unman]

Can you ping6 router by IPv6 address from both ?

[ben-grande]

To be clear ping6 both ways?

From sys-firewall to sys-net using the value of eth0 inet6 address (got from sys-firewall), ping -6 works before and after disabling IPv4.

[unman]

ping6 2001:4860:4860::8888 from both?

[unman]

I ask because I have working 6 Did you remember to set nameserver?

[unman]

example.com provides ip4 and ip6 hosts for testing. Quad9 is 2620:fe::fe

traceroute6 may show you the issue

[ben-grande]

ping6 2001:4860:4860::8888 from both?

Works from both sys-net and sys-firewall before and after disabling IPv4.

I ask because I have working 6 Did you remember to set nameserver?

On sys-net, with IPv4 and IPv6 enabled, the Network Manager sets /etc/resolv.conf nameservers to the IPv4 address and IPv6 address of the router.

I did not set nameserver manully on sys-net or sys-firewall. After disabling IPv4, only the IPv6 nameserver remains on sys-net /etc/resolv.conf.

I am not sure to which extent does Qubes IPv6 DNS limitations to IPv6-only networks applies.

example.com provides ip4 and ip6 hosts for testing. Quad9 is 2620:fe::fe traceroute6 may show you the issue

From sys-firewall, pinging example.com with -4 and -6 works before disabling IPv4. After disabling, DNS is not resolved and I can ping only by IPv6 address, such as ping6 2001:4860:4860::8888.

I did not understand how to use traceroute in this case, therefore I used tcpdump.

Before disabling IPv4

• sys-net monitoring downstream (sys-firewall) calling ping -c1 example.com (works):

  IP 10.138.5.10.46244 > 10.139.1.1.domain: 54727+ A? example.com. (29)
  IP 10.138.5.10.46244 > 10.139.1.1.domain: 28354+ AAAA? example.com. (29)
  IP 10.139.1.1.domain > 10.138.5.10.46244: 54727 1/0/0 A 93.184.215.14 (45)
  IP 10.139.1.1.domain > 10.138.5.10.46244: 28354 1/0/0 AAAA 2606:2800:21f:cb07:6820:80da:af6b:8b2c (57)
  IP 10.138.5.10 > 93.184.215.14: ICMP echo request, id 60127, seq 1, length 64
  IP 93.184.215.14 > 10.138.5.10: ICMP echo reply, id 60127, seq 1, length 64
  IP 10.138.5.10.40387 > 10.139.1.1.domain: 55144+ PTR? 14.215.184.93.in-addr.arpa. (44)
  IP 10.139.1.1.domain > 10.138.5.10.40387: 55144 NXDomain 0/0/0 (44)

• sys-net monitoring downstream (sys-firewall) calling ping6 -c1 example.com (works):

  IP 10.138.5.10.57357 > 10.139.1.1.domain: 15543+ A? example.com. (29)
  IP 10.138.5.10.57357 > 10.139.1.1.domain: 29361+ AAAA? example.com. (29)
  IP 10.139.1.1.domain > 10.138.5.10.57357: 15543 1/0/0 A 93.184.215.14 (45)
  IP 10.139.1.1.domain > 10.138.5.10.57357: 29361 1/0/0 AAAA 2606:2800:21f:cb07:6820:80da:af6b:8b2c (57)
  IP 10.138.5.10.55898 > 10.139.1.1.domain: 46406+ PTR? c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa. (90)
  IP 10.139.1.1.domain > 10.138.5.10.55898: 46406 NXDomain 0/0/0 (90)
  IP6 fd09:24ef:4179::a8a:500 > 2606:2800:21f:cb07:6820:80da:af6b:8b2c: ICMP6, echo request, id 4095, seq 1, length 64
  IP6 2606:2800:21f:cb07:6820:80da:af6b:8b2c > fd09:24ef:4179::a8a:500: ICMP6, echo reply, id 4095, seq 1, length 64
  IP 10.138.5.10.45985 > 10.139.1.1.domain: 38159+ PTR? c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa. (90)
  IP 10.139.1.1.domain > 10.138.5.10.45985: 38159 NXDomain 0/0/0 (90)

After disabling IPv4

• sys-net monitoring downstream (sys-firewall) calling ping -c1 example.com (fails expected?):

  IP 10.138.5.10.47235 > 10.139.1.1.domain: 6731+ A? example.com. (29)
  IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
  IP 10.138.5.10.47235 > 10.139.1.1.domain: 20556+ AAAA? example.com. (29)
  IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
  IP 10.138.5.10.45426 > 10.139.1.2.domain: 6731+ A? example.com. (29)
  IP 10.138.5.10.45426 > 10.139.1.2.domain: 20556+ AAAA? example.com. (29)

• sys-net monitoring downstream (sys-firewall) calling ping6 -c1 example.com (fails unexpected):

  IP 10.138.5.10.43045 > 10.139.1.1.domain: 61814+ A? example.com. (29)
  IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
  IP 10.138.5.10.43045 > 10.139.1.1.domain: 27405+ AAAA? example.com. (29)
  IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
  IP 10.138.5.10.35613 > 10.139.1.2.domain: 61814+ A? example.com. (29)
  IP 10.138.5.10.35613 > 10.139.1.2.domain: 27405+ AAAA? example.com. (29)

• sys-net monitoring downstream (sys-firewall) calling ping6 -c1 2606:2800:21f:cb07:6820:80da:af6b:8b2c (works):

  IP6 fd09:24ef:4179::a8a:500 > 2606:2800:21f:cb07:6820:80da:af6b:8b2c: ICMP6, echo request, id 28242, seq 1, length 64
  IP6 2606:2800:21f:cb07:6820:80da:af6b:8b2c > fd09:24ef:4179::a8a:500: ICMP6, echo reply, id 28242, seq 1, length 64

[ben-grande]

Ok, I used traceroute now.

Before disabling IPv4, traceoute6 example.com is fast on sys-net and sys-firewall.

After disabling IPv4, traceoute6 example.com is fast on sys-net and very slow (2+ minutes) on sys-firewall.

Following quotes are from IPv6 limitations in Qubes.

Currently only IPv4 DNS servers are configured, regardless of ipv6 feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not.

That is good.

Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.

Not good, does this issue fall into Qubes IPv6 DNS code stalled?

But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.